Run Unleashed on the Ruckus R730

The R730 has similar hardware to the R850, so can be converted to run Unleashed.

NOTE

The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute it's assigned IP address anywhere the text 192.168.0.1 appears below.

Download and extract vulnerable R730 firmware

Download the ZoneDirector 10.1.2.0.120 Software Release, which contains a vulnerable R730 AP image.

Your internet browser can extract the R730 AP Image from the ZoneDirector Software Image.

Manual Extraction Steps

Decrypt the image, then use an archive tool like 7-Zip to extract the firmwares/ap-patch/patch000/ap-arm-11ax/10.1.2.0.120/rcks_fw.bl7.main AP image file.

Install the vulnerable firmware

Login to the AP's web administration interface.

TIP

You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if you don't know the username & password.

The default username is "super", password is "sp-admin".

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade the firmware

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select the rcks_fw.bl7.main firmware file you extracted above.
Choose Perform Upgrade.

TIP

The upgrade will take a few minutes.

SSH to the AP

$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1

Perform command injection

rkscli: Ruckus

Now type ";/bin/sh;" and hit enter (you won't be able to see what you're typing)

grrrr

TIP

Instead of grrrr, another dog noise could be printed to the screen.

Escape to shell

rkscli: !v54!
What's your chow:

Now hit enter

BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

You now have a root shell.

Store R850 model information

# bsp set name R850
# bsp set model R850
# bsp commit

You will see something like this:-

Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash

You should now immediately install Unleashed.

WARNING

Especially do not factory reset the AP until you've installed the Unleashed firmware.

Install Unleashed

Login to the AP's web administration interface.

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade to Ruckus Unleashed

I assume you have downloaded the latest Ruckus R850 Unleashed firmware.

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select your Ruckus R850 Unleashed firmware file.
Choose Perform Upgrade.

TIP

The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.

Notes

• The R730 reportedly has issues with 160Mhz wide channels, so it's best to limit channel width to 80Mhz or less.

• If your AP is broadcasting an extra Technical.Support-xxxx SSID after you've finished setting up Unleashed, then you can try enabling Unleashed Multi-Site Manager (Admin & Services >Administration > Network Management > Unleashed Multi-Site Manager) with an unreachable IP, then immediately disabling it again.